How we protect
your data

All Customer Personal Data is encrypted in transit and at rest. Aragon services are served exclusively over HTTPS.

• Data in transit is encrypted using TLS 1.2 or higher.
• Data at rest is encrypted using AES-256.
• All API and application endpoints are TLS/SSL only.

Cloud infrastructure is protected by multiple layers of network-level controls.

• Firewalls and intrusion detection systems protect all service boundaries.
• Network segmentation isolates systems that process Customer Personal Data.

Aragon takes a proactive approach to identifying and remediating vulnerabilities.

• Automated vulnerability scanning runs continuously across production systems.
• Findings are triaged and remediated by severity.
• Periodic penetration testing is conducted by independent security professionals.

Aragon maintains a formal incident response plan. All personnel are trained on escalation procedures.

• Security events are escalated and triaged upon detection. Application monitoring (via Sentry) provides continuous visibility across all services.
• Confirmed incidents result in a written post-mortem, reviewed across the organization, with documented action items.
• Aragon will promptly notify customers in writing upon verification of a security breach affecting their data, including the status of Aragon's investigation.

Aragon runs entirely in the cloud. We do not operate physical servers, routers, or load balancers. Physical controls are governed by our infrastructure providers' own certifications. Customer Personal Data is hosted on AWS and Heroku, which runs on AWS infrastructure (us-east-1).

Customer data is stored in multi-tenant datastores with strict logical separation enforced in application code. Continuity measures include regular automated backups, a tested disaster recovery plan, and redundant infrastructure.

All personnel authorized to access Customer Personal Data are bound by confidentiality obligations and receive data protection training appropriate to their role. Disciplinary procedures apply to any unauthorized access or disclosure. Access is revoked promptly upon role change or departure.

Aragon does not store payment card data. All payment processing is handled directly by Stripe, Paddle, and RevenueCat (for mobile in-app purchases).

Customers are responsible for the following within their use of the Services. Full obligations are set out in the Customer Service Agreement.

• Managing user accounts and End User access within their organization, including timely deprovisioning when access is no longer required.
• Protecting account credentials and the email addresses associated with accessing Aragon services.
• Ensuring use of the Services complies with the Agreement and applicable law, including with respect to authorized End Users.
• Notifying Aragon promptly if a user credential is compromised or if suspicious activity is detected that may affect the security of Customer's account.
• Not performing penetration tests or security assessments on Aragon systems without Aragon's express advance written consent.